“Trust is everything--and cybersecurity is the business of everyone,” said Proximus NXT’s deputy director of client services Thierry Bousez in his introductory remarks to a roundtable discussion focussed on resilience, organised by the Paperjam Club and held at Proximus House in Bertrange, 29 April 2025.

“We’re in a complex world,” added Yvon Boutry, security team leader at Proximus NXT and co-moderator of the discussion. “Cybersecurity is no longer just a technical challenge, but a strategic priority. At the same time, the number and sophistication of attacks are increasing, and the question is not to know if you will be attacked, but when you will be attacked.”

Indeed, technology is constantly evolving, said panellist Gabriele Lenzini, associate professor at the University of Luxembourg. There are new environments and new situations that we need to constantly adapt to in order to prevent mistakes and cyberattacks.

In this digital, interconnected world, “cyber-resilience is not just a tech issue,” said , head of information security and CISO at Grant Thornton Luxembourg. “It is a societal concern. The line between physical security and digital security is blurring, and because of that, whenever there is an incident--whether it’s a cyber incident or any other incident--it affects not only the system itself, but actually affects lives.” Take, for instance, the massive power outage in Spain and Portugal that happened on Monday, 28 April. Though it has not, at the moment, been established as a cyber-incident, the outage goes to show the interconnectivity and dependency of critical infrastructure and how it can have an impact on the economy.

The Colonial Pipeline ransomware attack in 2021, meanwhile, consisted of a cyberattack that affected computerised equipment managing oil infrastructure and the company’s pipeline system. This cyberattack had an impact on the US, causing fuel shortages and economic disruptions, Ishaq pointed out. If we take these two incidents and place them against the backdrop of geopolitical tensions--whether they be fallout from Donald Trump’s tariffs, the strained relationship between the US and China, or Russia’s full-scale invasion of Ukraine--then “the digital landscape becomes even more volatile. So that is why cyber-resilience cannot be treated as a tech strategy anymore. It has to be treated as an imperative.”

“Our lives depend on technology,” added Lars Weber, Spuerkeess’ head of non-financial risk management and chief information security officer. “There can be disruptions, there can be hardware failures, there can be cyberattacks, there can also be just human errors, creating a whole chain of events that eventually lead up to events that we saw [on Monday].” Resilience is key, he said, and needs to be considered for every system that we put in place.

Cybersecurity and resilience are not just issues for the IT department, emphasised panellist Wided Guedria, training manager at the Digital Learning Hub. It should be part of the company culture, from the secretarial level all the way to the top management.

The importance of preparedness

We all operate in a digital world nowadays, no matter the sector or company. Everybody needs to be prepared for a cyberattack. So what are some measures that have been--or should be--put in place to ensure cyber-resilience?

“Before you consider the technical aspects, I think you have to really understand how your company works. What are the most critical processes you have that must continue working?” replied Weber. Once you’ve prioritised the most important processes, then you can consider technical solutions, awareness management or other measures. “Paperwork has to be done before you start buying fancy new stuff.”

“I absolutely agree that we have to look internally first when we are trying to measure resilience,” added Ishaq. But it’s crucial to understand that, in this “digitally connected world,” organisations are connected to others. It’s not just one player that is affected--there can be a “cascading effect” throughout the entire supply chain. Look at the , she said, referring to a global IT meltdown that affected sectors including airlines, banks, hospitals and retailers in various regions. This is an example of when the failure of one player “in the middle” had a domino effect on many other companies.

Regulations like Nis2 or the Digital Operational Resilience Act can help with resilience. Complying with these should not just be “tick-the-box” exercises, she continued, but “resilience has to be embedded within the infrastructure of the organisation.”

Organisations are active worldwide, Lenzini agreed, adding that it’s important to understand how things can go wrong before they get out of control. Once a crisis actually starts, the damage can “scale up very fast.” And once the horses have escaped the barn, he said, borrowing an Italian saying, it’s too late to close the door. “You need to be prepared. Awareness and risk analysis are actually a very important part of the preparedness.” And for him, “being prepared is part of the business.”

Regulation and risk assessments are important, but being proactive with training--at all levels of the company, no matter their familiarity with cybersecurity--and implementing best practices is key, added Guedria. Education and training are key to boost resilience, but it’s also important to “develop critical thinking and get all departments of an enterprise involved.”

“I can only stress the importance of regular exercises,” agreed Weber. Getting experts around the table and simulating crises is key. “You may find problems that you couldn’t imagine before,” he noted. “Sometimes, even if the technical side is clear--which is not always the case--then you have to see, okay, who can take the decision to shut down the whole company for a few hours? Most cases, it’s not the developer or the system engineer who can take this decision.” That’s why it’s crucial to involve top management in these kinds of exercises. “Then you go into a real incident in a much more prepared way.”

“The House of Cybersecurity with Room 42 are doing an amazing job with simulation exercises,” noted Guedria, referring to a cyberattack simulation experience where participants are asked to manage a cyber crisis within a limited amount of time.

Ishaq also underlined the importance of allowing people to actually use technology in order to prepare themselves--and not inhibiting them. “In order to be prepared and be aware and be educated on the latest technological advancements that we have, we need to allow everyone to actually use that technology,” she said. “For example, when ChatGPT came, a lot of organisations locked them on their firewalls. But they had to unlock them because people found different avenues to still use it. You have to allow people to actually use technology in order to know how it works and what is behind it, in order for them to learn and be educated and be aware.”

“Good point,” said Lenzini. “Transparency is also important.” If certain sites or tools are banned, there’s the risk of shadow IT--the use of technology or certain IT-related hardware or software without the knowledge or permission of the IT department of a company--flourishing. And this, in turn, can lead to even more risks for the company. To prevent this, alternative options can be proposed. But it can take time for an alternative option to be proposed--and in the meantime, people will find workarounds to any restrictions that have been imposed, which is why it’s key to educate teams on the use and potential risks of tools like ChatGPT.

Finding the “right balance” between humans and machines

Many cyberattacks come about because of a human error. With the increase in technology, should we humans perhaps just relinquish control and allow the tech to handle everything?

Relinquishing all control is a bit of an oversimplification, replied Ishaq. What’s important is to find “the right balance” between machines and humans.

Indeed, “machines are better than us in certain tasks, and we are better than machines for other tasks,” added Weber. “We have to understand the weaknesses and strengths of humans and machines and then be able to get a balance and delegate tasks to machines--like analysing logs--which we don’t want to do and cannot do as swiftly as machines and algorithms.”

Sometimes, a “human error” isn’t necessarily the fault of a human, said Lenzini. “Sometimes, what is seen as a human error is because the system has not been designed or considered to be used by humans.” The issue would therefore lie in the conception of the system. “So systems should be designed and developed in a way so that they harmonise with the work of humans.”

Humans are at the centre of cyber-resilience and tech, said Guedria. “We can use it--and we can misuse it. It’s up to us, and it’s very important to make sure technology is there to be used and to make us stronger.”

AI can boost defence, but also be used by criminals

One of the most commonly talked about technological tools nowadays is artificial intelligence. What are some of the ways AI could be used in cybersecurity--and what are some potential risks?

“AI will give you the additional speed that you need to defend yourself quickly,” replied Weber. It can, for instance, review the different log files that you have on your systems. “No human can ever digest all these logs in such a way and at the same speed as an AI solution can do. Clearly, this is one of the big advantages that we see.” An AI solution can also monitor logs continuously, he added, and trigger certain defence mechanisms.

But AI doesn’t just allow organisations to react to incidents more quickly, cautioned Ishaq. “When we look at the underworld ecosystem of cybercriminals, they are also using the same technology--but they’re using it at a scale and speed which is much faster than how organisations are able to actually respond to these attacks. The reason being, again: we are not investing enough in the technology. We do not have the budget, the resources and capacity to bring these technological advancements onward, or embrace it, or to augment our job or our tasks.” Criminals, for instance, are not going to be adhering to the ethical standards or the . “We are constantly in a cat-and-mouse race of trying to catch up,” she said. Technology is far ahead, and we’re playing catchup. “AI would augment and enhance the capacity and capabilities that we have, but what we are doing at the moment is just not enough.”

Artificial intelligence, said Weber, is “there to stay,” and “we have to use AI to stay competitive.”

Key takeaways

To wrap up the panel, each participant was asked about the most important takeaway from the discussion.

Lenzini compared running a business to flying a plane and highlighted the importance of preparedness: the more you know about the environment, the technology and how everything is interconnected, the better off your business is.

“Don’t wait for the problems, for the crisis to happen,” said Weber. “Be prepared and train the staff accordingly before the crisis happens, because we will not have time to acquire the different knowledge during times of crisis.”

“Resilience does not mean that you eliminate all your risks,” concluded Ishaq. “It’s about outpacing them. It’s about expecting the unexpected at all times. In cybersecurity, preparedness is your superpower.”

Guedria’s takeaway echoed the start of the discussion. “Cybersecurity,” she said, “is the business of everyone. It’s a mindset, and it should start with training, not with technology.”